A Near Life Experience – Aftermath

After all the chaos of having my Guild Wars account hacked dissipated, I began to reflect on some of the misgivings I should realistically have as a customer. That the system eventually works is a small consolation in a hoop-jumping exercise that would put an HMO to shame. You see, I felt betrayed. (Warning: a bit ranty.)

I felt betrayed because at first I was treated like an enemy rather than a customer. It was as if NCSoft’s first decision upon an account being hacked is the view that the person had been entirely compromised. NCSoft clearly understood that my accounts were attacked by another, and when they locked my accounts they thought not to tell me unless I decided to try to log in. This makes no sense. Any other service where I had an account, I would fully expect to be contacted if the company was fairly certain the actions showing were not my own. This would be especially true if they had taken some action, like stopping the account.

They must have felt that my email, the one I use to log in to Guild Wars, was also gone. They thought the hacker likely had my date of birth, previous mailing addresses, previous NCSoft support ticket numbers, and credit card numbers. Even my credit card company does not need that much information to verify that I am who I am when I take the time and energy to contact them. What I didn’t have, that they really wanted, were the account keys. Unlike most, I still do have them, but they are not easily accessible. I wish when I did have them accessible some big, freaking non-ignorable red letters surrounding the key clearly stated that this information should be kept accessible in case of account issues. Who was I to think that the valuable personal information I was giving ArenaNet and NCSoft on account creation day meant diddly squat in comparison.

I have absolutely no malice to all the men and women that helped me either via support ticket email or on the phone. They were extremely helpful and polite, and their hands were tied by this system that would make a government bureaucrat want to hang herself with red tape. For botters and cheaters, this stonewall system is great, but the same system does not work for an innocent account holder that was hacked. After five years of pretty constantly playing Guild Wars, I felt that I had made a pretty strong image of self. My email, the IPs I game from, the way I chat, who I chat with, were all pieces of evidence that ArenaNet / NCSoft could have used. And most importantly, do hackers really take the time to try and go through support and regain an account? I would be extremely surprised if they do.

I don’t expect anything to change, but I do hope that ArenaNet is looking at some stronger account options for Guild Wars 2 like World of Warcraft’s authenticator. With all the Extended Experience things they are doing, maybe they could just turn one of the apps into some sort of authenticator. Thankfully this is all behind me now, and hopefully I am more mindful of protecting my accounts on my end in the future.

Julian has the right of it above: dealing with “real money” like credit cards or government information brings law enforcement quick. Getting your WoW account stripped? Not so much.

I sympathize with Ravious, but I’ve been on both sides before. I’ve had accounts that I wanted to get back where I didn’t have the information, and I’ve had to deal with people who wanted their account back after someone else was using it for nefarious purposes.

Some security 101. There are three things you can use for security.

1. What you know. (passwords)
2. What you have. (Smart card, CD key)
3. What you are. (Biometrics)

The problem here is that if your account is compromised, the one important bit you know is also compromised (your password). So, it’s time to look at other options. Option 3 is problematic if you haven’t set up some sort of system to record biometrics. Hmm, maybe allowing players to set up voice snippets for later voice recognition would be interesting…. Anyway, that leaves other things you know or have, like your credit card number, the account key you have, etc.

So, what would be a good solution here? Just resetting the account for anyone who calls and can’t provide proof would simply lead to more account compromises. Obviously it can be frustrating not to be able to get your account back when you lose it, but there’s no obvious solution to make everyone happy. It looks like the current situation is perhaps the best for now, even if it causes some real frustration for people who don’t have some information easily at hand.

Actually, they likely did. Assuming this isn’t an “inside job” and that security isn’t wide-open on their side, the people compromising the account either needed your password or access to an associated email account to reset the password. Ultimately they did need some bit of information to trick the system into thinking that they were really you. The problem is when you need to change that information, they need some uncompromised information to verify you are who you say you are. As I point out, the “easy” information is no longer available, so they need something a bit more arcane.